aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGavin Andresen <gavinandresen@gmail.com>2011-09-26 06:12:59 -0700
committerGavin Andresen <gavinandresen@gmail.com>2011-09-26 06:12:59 -0700
commit5df25e78db8257df5dc5f71073cb31d9ae16711c (patch)
tree25e8a0c8065be14b052014172658ad7732dd2064 /src
parent17e2c24645a10354849dec917b31f364e9056d58 (diff)
parent3f94dfa25fc1b0e838d368a9b2683a634cd3a60c (diff)
Merge pull request #513 from cjdelisle/feature-hardening
Hardening
Diffstat (limited to 'src')
-rw-r--r--src/makefile.unix30
1 files changed, 29 insertions, 1 deletions
diff --git a/src/makefile.unix b/src/makefile.unix
index 2b7f3f679d..b893853fd0 100644
--- a/src/makefile.unix
+++ b/src/makefile.unix
@@ -36,8 +36,36 @@ LIBS+= \
-l pthread
+# Hardening
+# Make some classes of vulnerabilities unexploitable in case one is discovered.
+#
+ # Stack Canaries
+ # Put numbers at the beginning of each stack frame and check that they are the same.
+ # If a stack buffer if overflowed, it writes over the canary number and then on return
+ # when that number is checked, it won't be the same and the program will exit with
+ # a "Stack smashing detected" error instead of being exploited.
+ HARDENING=-fstack-protector-all -Wstack-protector
+
+ # Make some important things such as the global offset table read only as soon as
+ # the dynamic linker is finished building it. This will prevent overwriting of addresses
+ # which would later be jumped to.
+ HARDENING+=-Wl,-z,relro -Wl,-z,now
+
+ # Build position independent code to take advantage of Address Space Layout Randomization
+ # offered by some kernels.
+ # see doc/build-unix.txt for more information.
+ ifdef PIE
+ HARDENING+=-fPIE -pie
+ endif
+
+ # -D_FORTIFY_SOURCE=2 does some checking for potentially exploitable code patterns in
+ # the source such overflowing a statically defined buffer.
+ HARDENING+=-D_FORTIFY_SOURCE=2
+#
+
+
DEBUGFLAGS=-g -D__WXDEBUG__
-CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS)
+CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS) $(HARDENING)
HEADERS = \
base58.h \
bignum.h \